Cisco 400-251 Actual Free Exam Questions & Community Discussion

Exam Code/Number: 400-251
Exam Name/Title: CCIE Security Written Exam (v5.0)
Certification Provider: Cisco
Corresponding Certification: CCIE Security

Exam Questions: 125
Updated On: May 28, 2026

Question #7

A sneaky employee using an Android phone on your network has disabled DHCP, enabled its firewall, and modified its HTTP user-agent header, to fool ISE into profiling it as a Windows 10 machine connected to the wireless network. This user can now get authorization for unrestricted network access using his Active Directory credentials because your policy states that a Windows device using AD credentials should be able to get full network access. However, an Android device should only get access to the web proxy. Which two steps can you take to avoid this sort of rogue behavior? (Choose two)

A. Create an authentication rule that allows only a session with a specific HTTP user-agent header.

B. Chain an authorization policy to the Windows authorization policy that performs additional NMAP scans to verify the machine type before access is allowed.

C. Modify the authorization policy to allow only Windows machines that have passed machine authentication to get full network access.

D. Add an authorization policy before the Windows authorization policy that redirects a user with a static IP to a web portal for authentication.

E. Perform CoA to push a restricted access when the machine is acquiring address using DHCP.

F. Allow only certificate - based authentication from Windows endpoints, such as EAP-TLS or PEAP-TLS. If the endpoint uses MSCHAPv2 (EAP or PEAP), the user is given only restricted access.

Discussion 0

Correct Answer: C,F Vote an answer

Question #8

How would you prevent making Cisco Email Security Appliance (ESA) an opened relay?

A. Include all of your email domains into HAT table into one of the WHITELIST Sender Groups of your Public Listener

B. Make sure ESA Private Listener has appropriate external sender domains explicitly included in RELAYLIST in Private Listener's HAT (Host Access Table)

C. Make sure to configure ESA RAT (Recipient Access Table) of incoming Mail Listener (Public listener) so it accepts emails for all the domains ESA is responsible for and rejects emails towards all other recipient domains

D. Handle this by specific configuration of incoming Mail Flow policy

Discussion 0

Correct Answer: C Vote an answer

Question #9

Which of the following statement about Cisco Web Security Appliance is true?

A. FTP access to WSA's Management interface is enabled by default

B. Cisco Web Security Appliance (WSA) Management interface can be accessed using GUI interface only

C. Cisco Web Security Appliance (WSA) has HTTPS decryption services enabled by default

D. HTTPS access to WSA's Management interface is enabled by default

Discussion 0

Correct Answer: D Vote an answer

Question #10

Which requirement for the FTD high availability setup is true?

A. Units must be configured in transparent mode

B. Units must be in different domains in FMC

C. Units must have DHCP configured for the interfaces

D. Units must not have the same major, minor, and maintenance software version running on them

E. Units can have any uncommitted changes on FMC and need not be fully deployed

F. Units must be configured in routed mode

G. Units must be synchronized using the same NTP source.

Discussion 0

Correct Answer: G Vote an answer

Question #11

Which is true regarding Authentication Proxy?

A. It first checks if the NAT entry exists for the destination host

B. It does not apply the DACL for the traffic passing through the device

C. It applies a global ACL If the user authentication information not found

D. It triggers only on HTTP connection

E. It triggers on HTTP, HTTPS and FTP connections

F. It prompts user with a web-based authentication if user authentication information found

Discussion 0

Correct Answer: D Vote an answer

Question #12

Policy Sets in ISE are used to

A. Create different Authorization Policies for a single authentication policy

B. To keep RADIUS and TACACS+ policies separate from each other

C. Create different Authentication and Authorization policies for distinct use cases

D. Create different Authentication policies for different use cases while using a single Authorization policy

E. To create exception rules

Discussion 0

Correct Answer: C Vote an answer

Download Free Cisco 400-251 Demo

Simply submit your e-mail address below to get started with our free demo of your Cisco 400-251 exam.